b'                     ADVISORY MEMORANDUM REPORT\n                     CONSOLIDATION OF SBA\xe2\x80\x99S SYSTEMS\n                           SUBJECT TO FISMA\n\n                          AUDIT REPORT NUMBER 5-19\n\n                                    MAY 20, 2005\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC\n1905 and must not be released to the public or another agency without permission of the\nOffice of Inspector General.\n\x0c                   U.S. SMALL BUSINESS ADMINISTRATION\n                       OFFICE OF INSPECTOR GENERAL\n                           WASHINGTON, D.C. 20416\n\n\n                                                      ADVISORY MEMORANDUM\n                                                             REPORT\n                                                  Issue Date: May 20, 2005\n                                                  Number: 5-19\n\n\nTo:           Jerry E. Williams\n              Acting Chief Information Officer\n\n              /S/ Original Signed\nFrom:         Robert G. Seabrooks\n              Assistant Inspector General for Audit\n\nSubject:      Consolidation of SBA\xe2\x80\x99s Systems Subject to the Federal Information\n              Security Management Act\n\n        We have completed a review of SBA\xe2\x80\x99s major Information Technology (IT)\nsystems that are subject to the Federal Information Security Management Act (FISMA).\nOur overall objective was to determine if SBA could reduce its number of general\nsupport systems and major applications to its internally recommended five systems and\nstill meet FISMA security requirements. We have concluded that SBA has 16 major\napplications and four general support systems which meet criteria established by the\nOffice of Management and Budget (OMB) for FISMA reporting as major systems (See\nAppendix A for a list of systems we conclude meet the definition of a general support\nsystem or major application).\n\n        SBA reviewed a draft of this report and generally concurred with the conclusions\nin the report. SBA suggested changing two subsystems from the draft report.\nAdditionally, SBA suggested name changes to a number of its systems. SBA\xe2\x80\x99s full\nresponse is included as Attachment D to this report. All SBA suggested changes were\nincorporated into the final report.\n\n                                   BACKGROUND\n\n       Since the inception of the Government Information Security Reform Act (GISRA)\nin FY 2001 (the precursor of FISMA), the Office of Inspector General (OIG) has worked\nwith SBA management to correctly identify SBA\xe2\x80\x99s general support systems and major\napplications. In FY 2002, the OIG concluded that SBA could consolidate its major\nsystem list from 95 systems to 37 systems (OIG Report 2-28). Additionally, OIG has\nworked with SBA management to identify the correct number of systems which should\n\x0cbe subject to GISRA or FISMA requirements based upon OMB criteria. OIG has, in\nprevious audits, recommended the addition of NFC Payroll (OIG Report 3-20) as a major\napplication as well as the Sybase Servers (OIG Report 1-21) as a general support system.\n\n        Recently, SBA undertook a project to reduce its major systems subject to FISMA\nrequirements. SBA\xe2\x80\x99s preliminary results identified five mission critical systems subject\nto both its Continuity of Operations Program (COOP) and FISMA. As a result, SBA was\nproposing the declassification of approximately 34 systems subject to FISMA. SBA\ndecided on the five systems using criteria developed by the Department of Transportation\n(DOT) evaluation of its major systems subject to COOP. SBA requested OIG\xe2\x80\x99s\nconcurrence on the proposed reduction of the current list of 39 major IT systems to five.\nBased upon this request, OIG conducted a review to determine an appropriate number of\nSBA systems subject to FISMA.\n\n                  OBJECTIVES, SCOPE AND METHODOLOGY\n\n        The objective of this evaluation was to determine whether SBA could consolidate\nits major system list based upon criteria from OMB Memorandum 04-25 \xe2\x80\x9cFY 2004\nReporting Instructions for the Federal Information Security Management Act\xe2\x80\x9d and OMB\nCircular A-130 \xe2\x80\x9cManagement of Federal Information Resources.\xe2\x80\x9d\n\n   \xe2\x80\xa2   OMB Circular A-130 Appendix III provides that adequate security is defined as\n       security which is commensurate with the risk and magnitude of the harm resulting\n       from the loss, misuse, or unauthorized access to or modification of information.\n       This includes assuring that systems and applications used by the agency operate\n       effectively and provide appropriate confidentiality, integrity, and availability,\n       through the use of cost-effective management, personnel, operational, and\n       technical controls.\n\n   \xe2\x80\xa2   OMB Circular A-130 Appendix III describes an information system as a discrete\n       set of information resources organized for the collection, processing,\n       maintenance, transmission, and dissemination of information, in accordance with\n       defined procedures, whether automated or manual. Additionally, a major system\n       is an application that requires special attention to security due to the risk and\n       magnitude of the harm resulting from the loss, misuse, or unauthorized access to\n       or modification of the information in the application.\n\n   \xe2\x80\xa2   OMB Memorandum 04-25 provides that all major IT investments (those above\n       $500,000 which have Capital Asset Plans and Business Cases) would be\n       considered as "major" systems for FISMA purposes.\n\n       We held interviews with SBA personnel, reviewed SBA system Certification and\nAccreditation documentation and evaluated this information using existing criteria for\ngeneral support systems and major systems subject to FISMA. This evaluation occurred\nduring March and April 2005.\n\n\n\n\n                                            2\n\x0c                              EVALUATION RESULTS\n\n        SBA can achieve economies of scale in consolidating its existing 39 systems\nsubject to FISMA reporting into 20 systems (Appendix A) without reducing the\nunderlying security of SBA information within any of those systems. Additionally, SBA\nmay be able to increase its security efforts in concentrating on the residual risks in the\nremaining 20 systems (SBA plans to retire one system in December 2005 ultimately\nreducing the number of major systems subject to FISMA to a total of 19). Currently,\nSBA expends approximately $25,000 to recertify existing major SBA systems every three\nyears. SBA could potentially save approximately $158,333 every year or $475,000 every\nthree years in not performing Certifications and Accreditations (C&A) on systems which\nare really subsystems and feeder systems or nonmajor IT systems. See Appendix A, for a\nbreakdown of recommended consolidations of systems and recommended potentially\nnew systems.\n\nFinding 1: Consolidate Nine Existing Loan, Lending and Servicing Application\n           Systems into the Loan Accounting System\n\n        Nine current SBA systems can be consolidated into the current Loan Accounting\nSystem/Loan Accounting Daily Update Cycle (LAS/LADUC). These nine systems can\nbe consolidated as they perform functions such as feeder systems, subsystems, or\nreporting functions within current SBA systems. If this consolidation is performed\ncorrectly, it can occur without any loss in meeting the underlying Federal security\nrequirements for the systems.\n\n       The following nine SBA systems are identified for consolidation in to a\nConsolidated LAS/LADUC (See Appendix B):\n       \xe2\x80\xa2 Credit Bureau Reporting \xe2\x80\x93 Reports on delinquent or charged-off SBA loans to\n          credit bureau agencies.\n       \xe2\x80\xa2 Delinquent Loan Collection System \xe2\x80\x93 Tracks delinquent SBA loan payments.\n       \xe2\x80\xa2 Field Cashiering System \xe2\x80\x93 Accounts for funds collected at SBA field and\n          servicing offices for debt servicing against SBA loan balances.\n       \xe2\x80\xa2 IRS 1099C System \xe2\x80\x93 Reports non-collectable debt from SBA borrowers as\n          taxable income for IRS purposes.\n       \xe2\x80\xa2 General Ledger Only (GLO) \xe2\x80\x93 Transmits updates and keeps the Financial\n          Reporting Information System (FRIS) and the Joint Accounting and\n          Administrative Management System (JAAMS) synchronized with the Loan\n          Accounting System.\n       \xe2\x80\xa2 Litigation & Liquidation Tracking System \xe2\x80\x93 Tracks collateral liquidation and\n          loan liquidation activities.\n       \xe2\x80\xa2 Microloan Mainframe \xe2\x80\x93 A subsystem of the Loan Accounting System\n          specifically for processing SBA Microloans.\n       \xe2\x80\xa2 Preauthorized Debit \xe2\x80\x93 Allows borrowers to automatically make SBA loan\n          payments from their bank accounts.\n       \xe2\x80\xa2 Treasury Offset System \xe2\x80\x93 Allows IRS Tax Refunds to be seized and paid on\n          SBA delinquent or written-off loans.\n\n\n                                            3\n\x0c        SBA could save approximately $225,000 years by consolidating from 10 systems\nto one system. Currently SBA expends $250,000 every three years to certify and accredit\n10 systems for performing C&A reviews. With the consolidation of the separate\nLAS/LADUC application systems into an overall LAS/LADUC major application\nsystem, SBA should be in a better position to manage its IT security funds spent\nperforming C&A reviews and achieve economies of scale in performing one overarching\nC&A on the LAS/LADUC system.\n\nRecommendations: We recommend that the Chief Information Officer in conjunction\nwith the owners of the Loan Accounting System / Loan Accounting Daily Update Cycle:\n\n1A.    Consolidate within the Loan Accounting System / Loan Accounting Daily Update\n       Cycle the following identified SBA major systems:\n          \xe2\x80\xa2 Credit Bureau Reporting,\n          \xe2\x80\xa2 Delinquent Loan Collection System,\n          \xe2\x80\xa2 Field Cashiering System\n          \xe2\x80\xa2 General Ledger Only\n          \xe2\x80\xa2 IRS 1099C System,\n          \xe2\x80\xa2 Loan Litigation & Liquidation Tracking System,\n          \xe2\x80\xa2 Microloan Mainframe,\n          \xe2\x80\xa2 Preauthorized Debit System, and\n          \xe2\x80\xa2 Treasury Offset System.\n\n1B.    Carry forward all individual risks in SBA\xe2\x80\x99s Plan of Actions and Milestones\n       (POA&M) for the Loan Accounting System to include the recommended\n       consolidated systems in recommendation 1A.\n\nSBA Response:\n\n1A:    OCIO partially agrees with the recommendation. The OCIO believes that General\n       Ledger Only (GLO) should be rolled up under LAS/LADUC.\n\n1B:    Agree.\n\nOIG Comment:\n\n       We modified the report to reflect that GLO is included in the LAS/LADUC\nconsolidated system.\n\nFinding 2: Consolidate Five Existing Financial Application Systems into a new\n           Denver Finance Center Application System\n\n       Five current SBA systems utilized by the Office of Chief Financial Officer\n(OCFO) as part of its Office of Financial Systems (OFS) located in Denver, Colorado can\nbe consolidated into a new Denver Finance Center System (DFCS) major application.\nThese five systems can be consolidated as they perform functions such as feeder systems,\n\n\n                                           4\n\x0csubsystems, or reporting functions which allow for complete and accurate financial\nreporting of financial operations at SBA. If this consolidation is performed correctly, it\ncan occur without any loss in meeting the underlying Federal security requirements for\nthe systems.\n\n       The following five SBA systems are identified (See Appendix C):\n       \xe2\x80\xa2 Cash Reconciliation System \xe2\x80\x93 Reconciles different transactions and reports\n          from Treasury. While the system is stand-alone, it is part of DFC\xe2\x80\x99s systems\n          which support SBA\xe2\x80\x99s financial statements.\n       \xe2\x80\xa2 OFS Automated Distributed Event Processing System \xe2\x80\x93 A feeder system to\n          the Loan Accounting System which uploads and downloads transactions from\n          and to Client/Server sub-applications at the Denver Finance Center.\n       \xe2\x80\xa2 OFS Disbursement System \xe2\x80\x93 An interface system which consolidates\n          disbursements from other SBA major systems and transmits a payment tape to\n          the Treasury Department for subsequent cash disbursements.\n       \xe2\x80\xa2 OFS Loan Accounting System \xe2\x80\x93 An accounting transaction system to\n          reconcile and balance financial information from other SBA systems to the\n          Loan Accounting System.\n       \xe2\x80\xa2 OFS Print 1201 System \xe2\x80\x93 An output file with loan and account billing\n          information which is transmitted to a contractor for printing for of bills owed\n          to SBA.\n\n        SBA could save approximately $75,000 by consolidating from five systems to\ntwo systems (one application system and one general support system as discussed in\nFinding #3). Currently SBA expends $125,000 to certify and accredit five systems for\nperforming C&A reviews. With the consolidation of the separate OFS application\nsystems into an overall DFCS major application system, SBA should be in a better\nposition to manage its IT security funds spent performing C&A reviews and achieve\neconomies of scale in performing one overarching C&A on the DFCS application system.\n\nRecommendations: We recommend that the Chief Information Officer in conjunction\nwith the Chief Financial Officer:\n\n2A.    Consolidate into a new Denver Finance Center System (DFCS) the following\n       SBA identified major systems:\n          \xe2\x80\xa2 Cash Reconciliation System\n          \xe2\x80\xa2 OFS Automated Disbursement Event Processing System\n          \xe2\x80\xa2 OFS Disbursement System\n          \xe2\x80\xa2 OFS Loan Accounting System\n          \xe2\x80\xa2 OFS Print 1201 System\n\n2B.    Carry forward all individual risks in SBA\xe2\x80\x99s Agency Plan of Actions and\n       Milestones into the new DFCS for the consolidated systems identified in\n       recommendation 2A.\n\n\n\n\n                                             5\n\x0cSBA Comment:\n\n2A:    Agree\n\n2B:    Agree\n\nFinding 3: Certify and Accredit a new Denver Office of Financial Systems Data\n           Service System\n\n       Currently the OCFO Denver Finance Center maintains and operates a number of\nevent processors, file servers, snap servers, and web servers which are certified and\naccredited as part of SBA\xe2\x80\x99s Local Area Network/Wide Area Network (LAN/WAN)\nsystem accreditation. However, these systems are locally managed and operated and\nsupport a departmental data center (OFS). Therefore, we conclude that these systems\nshould be under separate accreditation as a general support system.\n\n        OMB Circular A-130 defines a General Support System as an interconnected set\nof information resources under the same direct management control which shares\ncommon functionality. A system normally includes hardware, software, information,\ndata, applications, communications, and people. A system can be, for example, a local\narea network (LAN) including smart terminals that support a branch office, an agency-\nwide backbone, a communications network, a departmental data processing center\nincluding its operating system and utilities, a tactical radio network, or a shared\ninformation processing service organization.\n\nRecommendations:\n\n3A.    We recommend that the Chief Information Officer, in conjunction with the Chief\n       Financial Officer designate the computerized hardware, firmware and software\n       supporting the Denver Office of Finance Services Data Service System as a\n       general support system. Additionally, carry forward those individual risks\n       relating to the Denver OFS hardware, firmware and software which are reported\n       in the existing OFS Infrastructure C&A.\n\nSBA Response:\n\n3A:    Partially Agree. The name will be changed to Denver OFS Data Service System\n       and it will be included as a new GSS in the September FISMA report. A new\n       C&A will be conducted for this GSS by the end of 4th quarter. The platform\n       vulnerabilities from the Denver Finance Center Major Application, including the\n       OFS Infrastructure (ADEPS), will be addressed and revalidated in the new C&A\n       of the Denver Finance Center System.\n\nOIG Comment:\n\n       We modified the report to reflect the recommended name as requested by SBA.\n\n\n\n                                           6\n\x0cFinding 4: Consolidate Two Major Systems into Two Other Major Systems\n\n        Currently, there are four major systems, of which two major systems can be\nconsolidated into the C&A\xe2\x80\x99s of two remaining systems. If this consolidation is\nperformed correctly, it can occur without any loss in meeting the underlying Federal\nsecurity requirements for the systems. The two systems are:\n\n        Financial Institution Record System (FIRS) \xe2\x80\x93 A data base that contains\ninformation on all types of financial institutions which participate in SBA lending\nprograms. FIRS can be consolidated with the Partner Identification and Management\nSystem (PIMS). PIMS is a web-based system designed to replace FIRS when SBA\nmigrates off its legacy mainframe. At the present time, both systems interface with each\nother to maintain information on financial institutions.\n\n        Internet Connectivity Infrastructure (ICI) \xe2\x80\x93 Internet Connectivity Infrastructure\nand SBA\xe2\x80\x99s Local Area Network and Wide Area (LAN/WAN) are really different aspects\nof the same general support system. According to their C&A\xe2\x80\x99s:\n\n      \xe2\x80\xa2   ICI is the supporting infrastructure of servers, firewalls, routers and servers\n          including the public access server which allows the public to access SBA web\n          pages and also SBA personnel to utilize the internet.\n      \xe2\x80\xa2   LAN/WAN is the system and infrastructure which allows SBA employees to have\n          networked computers, printers, email, and access to SBA\xe2\x80\x99s major applications.\n\n        Currently, SBA can expect to save about $50,000 every three years (two systems\nat $25,000) to recertify the separate systems identified above which can be consolidated\ninto one general support systems LAN/WAN and one major application PIMS/FIRS.\n\nRecommendations: We recommend that the Chief Information Officer:\n\n4A.       In conjunction with the Office of Financial Assistance, consolidate the Financial\n          Institution Record System into the Partner Information and Management System\n          (PIMS).\n\n4B.       Consolidate the Internet Connectivity Infrastructure (ICI) with the Local Area\n          Network/Wide Area Network (LAN/WAN) for C&A purposes.\n\n4C.       Carry forward all individual risks in SBA\xe2\x80\x99s Agency Plan of Actions and\n          Milestones into the new PIMS/FRIS, and LAN/WAN respectively for the\n          recommendations 4A and 4B.\n\nSBA Response:\n\n4A:       Agree.\n\n\n\n\n                                               7\n\x0c4B:    The Chief Financial Officer (CFO) agrees with the consolidation of systems as\n       defined in Finding 4, with one exception. The CFO believes that the GLO system\n       should be consolidated in with the LADUC system, not the FRIS system. The\n       GLO system feeds LADUC (LAGD02), not FRIS, and does not serve any purpose\n       in the administrative accounting system. As such, it is just another system,\n       maintained by the OCIO that feeds LAS. Furthermore, including GLO in with the\n       FRIS will introduce a number of vulnerabilities which OFS Denver cannot\n       address, since they do not maintain or "own" this system. Future enhancements to\n       FRIS may include GLO functionality, however, until that happens, the CFO\n       feels that it should most appropriately be grouped with LADUC.\n\n4C:    Agree. The Local Area Network, Wide Area Network, and Internet Connectivity\n       Infrastructure (LAN/WAN/ICI) would be shortened to "Local Area Network and\n       Wide Area Network (LAN/WAN).\n\n4D:    Partially agree. GLO risks will carry forward to the new LADUC.\n\nOIG Comment:\n\n      We modified the report to reflect that GLO be included within LADUC instead of\ncombining it with FRIS. Additionally, we modified the report and dropped ICI from\nLAN/WAN.\n\nFinding 5: Alter the Boundaries of the Sybase General Support System and\n           Identify it as Headquarters Data Services System\n\n        Currently SBA\xe2\x80\x99s Sybase General Support System is the underlying infrastructure\nof application services for a number of client-server applications operated by the\nWashington based Headquarters Data Services system (HQDS). Some of these client-\nserver applications are stand-alone and some of these applications interface with the\nlegacy mainframe on a daily basis. Without these services, SBA\xe2\x80\x99s Loan Accounting\nSystem could not fully operate as it is a hybrid system of client-server and mainframe\ncapabilities.\n\n        SBA identified that the current name and boundaries of the Sybase C&A does not\nfully represent the full functionality performed and the future architecture of the general\nsupport system which will support the HQDS system. SBA further identified that\ncurrently there are a number of DBMS systems along with Sybase and that SBA is\nmigrating to Oracle as the agency-wide DBMS. Finally, SBA is migrating to a Java\nPlatform Enterprise Environment (J2EE) for application services.\n\n       This would include:\n       \xe2\x80\xa2 UNIX Solaris operating system,\n       \xe2\x80\xa2 Webservers for webpages,\n       \xe2\x80\xa2 Application servers for housing application business logic, and\n       \xe2\x80\xa2 Database servers for data storage.\n\n\n\n                                             8\n\x0c       To correctly and completely identify the underlying general support system which\nmaintains application functions performed at the HQDS, SBA suggested an overall\nboundary of IT functions for application services in one C&A renamed as the\nHeadquarters Data Services system.\n\nRecommendations: We recommend that the Chief Information Officer:\n\n5A.    Alter the boundaries of the Sybase general support system to include all\n       application support capabilities for client-server applications performed at the\n       Washington Headquarters Data Center and rename the general support system as\n       the Headquarters Data Services system.\n\n5B.    Carry forward all individual risks in the Sybase servers C&A to SBA\xe2\x80\x99s Agency\n       Plan of Actions and Milestones into the new WDC Application Services general\n       support system C&A.\n\n5C.    Perform a new C&A on the WDC Application Services general support system as\n       the underlying application services are changed as per NIST 800-37.\n\nSBA Response:\n\n5A:    Partially agree. For the June FISMA report, the Sybase System will be retained as\n       a GSS. For the September FISMA report, the new Washington Data Center\n       (WDC) Application Services System GSS will be introduced. This new system\n       will encompass the current Sybase data servers as well as the web servers and\n       application servers used to access the Sybase data servers. The scope will include\n       the web servers currently accredited as part of the ICI.\n\n5B:    Partially agree. The Washington Data Center Applications Services Systems\n       would be changed to the "Headquarters Data Services (HQDS)" system. The\n       Sybase GSS vulnerabilities will be addressed and revalidated in the C&A of the\n       new HQDS Application Servers GSS. The vulnerabilities associated with the ICI\n       web servers will be addressed and revalidated in the C&A of the WDC\n       Applications Services GSS.\n\n5C:    Agree. A new C&A will be conducted for the WDC Application Services GSS in\n       accordance with NIST Special Publication 800-37 guidance.\n\nOIG Comment:\n\n       We have modified the report to reflect to reflect the recommended name as\nrequested by SBA.\n\n\n\n\n                                           9\n\x0cFinding 6: Decertify Five Existing Systems which do not meet the Definition of\n           Major Systems\n\n        Five current SBA systems identified as major systems can be decertified as these\nsystems do not meet the definition of a major system. While the information in these\nsystems is vital to different offices within SBA in allowing those offices to perform their\nduties, the information within those systems do not meet the definitions of a major\nsystem from an Agency prospective and should therefore be classified as a nonmajor\nsystem.\n\n       OMB Circular A-11, Section 300, identifies a major IT investment as a system or\ninvestment that requires special management attention because of its importance to an\nagency\xe2\x80\x99s mission; investment was a major investment in the FY 2004 submission and is\ncontinuing; investment is for financial management and spends more than $500,000.\nSystems not considered "major" are "nonmajor."\n\n        During interviews with SBA personnel and from reviewing system\ndocumentation, we identified five systems which could be decertified and therefore,\nidentified as nonmajor systems. These five systems are:\n\n   \xe2\x80\xa2   Fresno Action Trek \xe2\x80\x93 A loan inventory system used to track SBA loan servicing\n       actions.\n   \xe2\x80\xa2   Preferred Loan Processing \xe2\x80\x93 Provides facsimile support for loan applications\n       received from lenders requesting SBA guarantee of small business loans.\n   \xe2\x80\xa2   Dynamic Small Business Search (ProNet) \xe2\x80\x93 Initially a small business search data\n       base and engine, ProNet was combined with a Department of Defense system to\n       allow for one integrated search of small business contractors.\n   \xe2\x80\xa2   Guaranty Loan Reporting System \xe2\x80\x93 Previously reported on the status of SBA-\n       1502 reports received from Colson Fiscal Transfer Agent. The system currently\n       does not exist.\n   \xe2\x80\xa2   Sacramento LowDoc \xe2\x80\x93 A spreadsheet program which tracks the receipt of\n       facsimiles of loan applications received from SBA sponsored financial\n       institutions.\n\n        Currently, SBA can expect to save about $125,000 every three years (five systems\nat $25,000) by identifying these systems as nonmajor and by not performing a full-scale\nC&A on these systems. SBA will be able to utilize the $125,000 in better securing those\nsystems which meet FISMA criteria as general support systems or major applications.\n\n\n\n\n                                            10\n\x0cRecommendations: We recommend that the Chief Information Officer:\n\n6A.    In conjunction with the Office of Financial Assistance, declassify the following\n       non-major IT systems: Fresno Action Trek, Preferred Loan Processing, Guaranty\n       Loan Reporting System and Sacramento LowDoc.\n\n6B.    In conjunction with the Office of Government Contracting and Business\n       Development, declassify Pro-Net as it is a non-major IT system.\n\nSBA Response:\n\n6A:    Agree.\n\n6B:    Partially agree. TechNet should be a major application per the System Owner.\n\nPlease note: LLMS is the system name per the System Owner, not Expert Behavior.\n\nOIG Comment:\n\n         We modified the report to include TechNet as a major system. TechNet was\ninitially identified as a non-major IT system in the draft report. We also modified the\nname of the Loan Lender Monitoring System in Appendix A.\n\n                                          ***\n       The findings included in this report are the conclusions of the Auditing Division\nbased upon the auditors\xe2\x80\x99 review of SBA\xe2\x80\x99s general support systems and major\napplications. The findings and recommendations are subject to review and\nimplementation of corrective action by your office following the existing Agency\nprocedures for audit follow-up and resolution.\n\n       This report may contain proprietary information subject to the provisions of 18\nUSC 1905. Do not release to the public or another agency without permission of the\nOffice of Inspector General.\n\n       Should you or your staff have any questions, please contact Jeffrey R. Brindle,\nDirector, Information Technology and Financial Management Group, at\n(202) 205-[FOIA Ex. 2].\n\nAttachments\n\n\n\n\n                                            11\n\x0c                                                                ATTACHMENT A\n\n     LIST OF MAJOR SYSTEMS WHICH MEET FISMA CRITERIA AS\n     GENERAL SUPPORT SYSTEMS OR MAJOR APPLICATIONS\n\nSystem                           Owner   General Support Major Application\n                                         System\nDENVER OFS Data Service          OCFO                  1\nSystem\nEagan Mainframe                  OCIO                 1\nLAN/WAN                          OCIO                 1\nHeadquarters Data Services \xe2\x80\x93     OCIO                 1\nHQDS (Formerly Sybase\nServers)\n8a SDM MIS                       GCBD                                        1\nALCS                             ODA                                         1\nConsolidated LAS/LADUC           COO                                         1\nContract Loan Servicing          OFA                                         1\n(Formerly Colson)\nDCMS                             ODA                                         1\nDenver Finance Center Sys        OCFO                                        1\nE-Tran (Formerly ELOS)           OFA                                         1\nLoan Lender Monitoring System    OLO                                         1\n(LLMS)\nFinancial Reporting Info Sys     OCFO                                        1\n(FRIS)\nHUBZone Application System       Hubzn                                       1\nJA2MS                            OCFO                                        1\nMPERS (Formerly Microloan        OFA                                         1\nData Entry)\nPartner Identification Mgt Sys   OFA                                          1\nSBA Payroll/Personnel System     OHCM                                         1\n(NFC)\nSurety Bond Guarentee (SBG)      OSG                                          1\nTechNet                          GCBD                                         1\n\nTotal General Support Systems                         4                      16\nand Major Applications\n\x0c                                                       ATTACHMENT B\n\n\n     LIST OF CURRENT MAJOR SYSTEMS WHICH CAN BE\n     CONSOLIDATED INTO THE LOAN ACCOUNTING SYSTEM\n     (Finding #1)\n\nSystem                       Owner Major Application\n\nConsolidated LAS/LADUC       COO                   1\nCredit Bureau Reporting      OFA\n(CBR)\nDelinquent Loan Collection   OFA\n(DLC)\nField Cashiering System      OCFO\nGeneral Ledger Only          OCFO\nIRS 1099C Reporting (IRS)    OFA\n\nLitigation & Liquidation     OFA\nTracking Sys (LLTS)\n\nMicroloan-Mainframe          OFA\n(MM)\n\nPre-Authorized Debit         OCFO\nSystem (PADS)\n\nTreasury Offset (TO)         OFA\n\x0c                                                     ATTACHMENT C\n\n\n    LIST OF CURRENT MAJOR SYSTEMS WHICH CAN BE\n    CONSOLIDATED INTO A NEW DENVER FINANCE CENTER\n    SYSTEM (Finding #2)\n\nSystem                     Owner Major Application\n\nDenver Finance Center      OCFO                  1\nSystem\nCash Reconciliation        OCFO\nSystem (CRS)\nOFS Disbursement (OFS      OCFO\nDis)\nOFS Infrastructure (OFS    OCFO\nInfa)\n\nOFS LA Accounting          OCFO\n\nOFS Print 1201 (OFS Pri)   OCFO\n\x0c                                                                   ATTACHMENT D\n                         U.S. Small Business Administration\n                                 Washington, D.C.\n\n                                     May 12, 2005\n\n\n\nTo:     Robert G. Seabrooks\n        Assistant Inspector General for Auditing\n\n        /S/ Original Signed\nFrom:   Jerry E. Williams\n        Acting Chief Information Officer\n\nSubject: Response to Consolidation of Small Business Administration\'s Systems (SBA)\n         Subject to the Federal Information Management Act\n\nThank you for the opportunity to review and provide comments to the draft memorandum\nadvisory report on Consolidation of SBA\'s Systems Subject to the Federal Information\nSecurity Management Act of April 14, 2005.\n\nThe Office of the Chief Information Officer met with SBA system owners to discuss and\nreach a consensus on your consolidation recommendations. The attachment contains the\nresults of the discussions and identifies the actions the OCIO plans to take.\n\nShould you or your staff have any questions about the attached comments, please contact\nEthel M. Matthews, Chief Information Security Officer at (202) 205-[FOIA Ex. 2].\n\nAttachment\n\ncc:\nJennifer Main\nPeter McClintock\nStephen Kucharski\nJames VanWert\n\x0c                                                                   ATTACHMENT D\nOCIO Response:\n\n1A: OCIO partially agrees with the recommendation. The OCIO believes that General\nLedger Only (GLO) should be rolled up under LAS/LADUC.\n\n1B:    Agree.\n\n2A:    Agree\n\n2B:    Agree\n\n3A: Partially Agree. The name will be changed to Denver OFS Data Service System\nand it will be included as a new GSS in the September FISMA report. A new C&A will\nbe conducted for this GSS by the end of 4th quarter. The platform vulnerabilities from\nthe Denver Finance Center Major Application, including the OFS Infrastructure\n(ADEPS), will be addressed and revalidated in the new C&A of the Denver Finance\nCenter System.\n\nOCIO / OCFO Response:\n\n4A:    Agree.\n\n4B:    The Chief Financial Officer (CFO) agrees with the consolidation of systems as\ndefined in Finding 4, with one exception. The CFO believes that the GLO system should\nbe consolidated in with the LADUC system, not the FRIS system. The GLO system\nfeeds LADUC (LAGD02), not FRIS, and does not serve any purpose in the\nadministrative accounting system. As such, it is just another system, maintained by the\nOCIO that feeds LAS. Furthermore, including GLO in with the FRIS will introduce a\nnumber of vulnerabilities which OFS Denver cannot address, since they do not maintain\nor "own" this system. Future enhancements to FRIS may include GLO functionality,\nhowever, until that happens, the CFO feels that it should most appropriately be grouped\nwith LADUC.\n\n4C: Agree. The Local Area Network, Wide Area Network, and Internet Connectivity\nInfrastructure (LAN/WAN/ICI) would be shortened to "Local Area Network and Wide\nArea Network (LAN/WAN).\n\n4D:    Partially agree. GLO risks will carry forward to the new LADUC.\n\n\n\n\n                                           2\n\x0c                                                                     ATTACHMENT D\n\nOCIO Response:\n\n5A: Partially agree. For the June FISMA report, the Sybase System will be retained as\na GSS. For the September FISMA report, the new Washington Data Center (WDC)\nApplication Services System GSS will be introduced. This new system will encompass\nthe current Sybase data servers as well as the web servers and application servers used to\naccess the Sybase data servers. The scope will include the web servers currently\naccredited as part of the ICI.\n\n5B:    Partially agree. The Washington Data Center Applications Services Systems\nwould be changed to the "Headquarters Data Services (HQDS)" system. The Sybase GSS\nvulnerabilities will be addressed and revalidated in the C&A of the new HQDS\nApplication Servers GSS. The vulnerabilities associated with the ICI web servers will be\naddressed and revalidated in the C&A of the WDC Applications Services GSS.\n\n5C: Agree. A new C&A will be conducted for the WDC Application Services GSS in\naccordance with NIST Special Publication 800-37 guidance.\n\n6A:    Agree.\n\n6B:    Partially agree. TechNet should be a major application per the System Owner.\n\nPlease note: LLMS is the system name per the System Owner, not Expert Behavior.\n\n\n\n\n                                            3\n\x0c                                                                                                    ATTACHMENT E\n\n\n\n                                         REPORT DISTRIBUTION\n\n\nRecipient                                                                                                 No. of Copies\n\nOffice of the Chief Financial Officer\nAttention: Jeffrey Brown ........................................................................................1\n\nGeneral Counsel.......................................................................................................3\n\nU.S. Government Accountability Office .................................................................1\n\x0c'